Feature: Add Certipy [shadow] command to Linux abuse section for Shadow Attack scenarios #2064
Description
Feature Description
Add support for the Certipy [shadow] technique in the Linux abuse section for cases where Shadow Attack exploitation is applicable (for example when the target account has GenericAll or similar privileges over a certificate template or object). Unlike pywhisker, which outputs only a certificate and requires additional tools (such as PKINITtools) to generate a TGT, Certipy’s shadow functionality directly produces both a usable TGT and the corresponding hash, making the workflow more complete and efficient.
Are you intending to implement this feature?
Yes
Current Behavior
The Linux abuse section currently documents and demonstrates the use of pywhisker for certificate-based abuse paths. While functional, it only produces a certificate file and does not generate a TGT or NTLM hash. Users must rely on external tooling (e.g., PKINITtools) to complete the attack chain.
Use Case
Users performing AD CS abuse from Linux often require a full Shadow Attack chain (certificate → TGT → hash). Certipy’s [shadow] support removes the need for multiple tools and ensures the workflow matches what BloodHound’s abuse recommendations are intended to provide smooth attack vectors.
Implementation Suggestions
Add Certipy [shadow] examples to the relevant Shadow Credentials attack, Linux abuse sections (e.g., GenericAll)
Additional Information
Certipy documentation: https://github.com/ly4k/Certipy
